Privacy notice for clients, suppliers and partners
Last modified June 2024
This privacy notice informs you how Avaloq Group Ltd. and its affiliates (hereinafter collectively referred to as “Avaloq”, “we” or “us”) collect, use, share, retain and dispose personal data received whenever you communicate with us via any mean of communication such as phone, email, fax, etc. (“Communication Channels”), obtain services or products from us, interact with us in relation to a business relationship or a contract or otherwise deal with us. In addition to this privacy notice, we may inform you about the processing of your data separately, for example in specific consent forms, terms and conditions, additional privacy notices, and other notices.
We may occasionally update this privacy notice. We encourage you to periodically review this privacy notice to be informed of how we process your information.
1. Who we are
We are the Avaloq Group Ltd. (“we”, or “us”), a Swiss company registered at Allmendstrasse 140, 8041 Zurich, Switzerland. We are the data controller responsible for the processing of personal data received when you are dealing with us. A list of our group companies and their locations can be found here.
2. How we obtain personal Data
We may collect and receive personal data when communicating with you through Communication Channels, carrying out services for you, delivering our products to you, and otherwise interacting with you. Personal data means any information relating to an identified or identifiable natural person.
We collect personal data that you choose to voluntarily provide to us or that we request from you. We may also receive personal data from another party (e.g., your employer) depending on the business context and processing purpose.
3. The types of personal data we may process
The types of personal data we may process depend on the business context and the purposes for which it was collected. It may include:
Contact data – We may collect basic data about you that we need (in addition to contract data, see below), for the performance of our contractual and other business relationships, for marketing and promotional purposes, or for any other reason reflected in this privacy notice such as:
- Name, address, e-mail address, telephone number and other contact details, gender, date of birth, nationality, data about related persons, websites, social media profiles, photos and videos, copies of ID cards.
- Details of your relationship with us (customer, supplier, visitor, partner, service recipient, etc.), details of your status, allocations, classifications and mailing lists, details of our interactions with you (if applicable, a history thereof with corresponding entries), reports (for example from the media), or official documents (for example excerpts from the commercial register, permits, etc.) that concern you.
- Declarations of consent and opt-out information are also part of the contact data, as well as information about third parties, for example contact persons, recipients of services, advertising recipients or representatives.
- In relation to contact persons and representatives of our customers, suppliers and partners, contact data includes, for example, name and address, information about the role or function in the company, qualifications, powers of attorney, signature authorization, and (where applicable) information about superiors, co-workers and subordinates and information about interactions with these persons.
- We may collect information about certain actions, such as your response to electronic communications, for example if and when you have opened an e-mail, registered to an event or download a content piece on our website).
- We may collect information about what your needs are, which products or services might be of interest to you. We obtain this information from feedback you give us during events, surveys and/or the analysis of existing data, such as behavioral data, so that we can get to know you better, tailor our advice and offers more precisely to you and generally improve our offers.
Contact data is not collected comprehensively for all contacts. The data collected in an individual case depends mostly on the purpose of the processing activity.
We process your contact data if you are a customer or other business contact or work for one (for example as a contact person of the business partner), or because we wish to address you for our own purposes or for the purposes of a contractual partner (for example as part of marketing and advertising, with invitations to events, with newsletters, etc.).
User data – We may collect data about your use and interaction with Avaloq tools, such as:
- Records about your interactions with our tools and the data you enter in our tools;
- Session data in our tooling;
- Cache data related to the user interactions with the tools.
Recorded data may be propagated from the source system where the information was initially entered, to other tools where this information may be relevant.
Contract data – We may collect data that is required for the conclusion and performance of contracts such as:
- Data that is necessary for the conclusion of the contract that may include personal data, for example, the type and date of conclusion, information from the application process (such as the application for the performance of our products or services) and information about the relevant contract (for example its duration);
- Data that is necessary for pre-contractual compliance checks (as may be applicable e.g., for conflict-of-interest checks, due diligence, checks against sanction lists, etc.);
- Data that is necessary for the performance and administration of the contracts (for example information related to billing, customer service, technical assistance and enforcement of contractual claims);
- Information in connection with the execution of the contract (e.g., provision of services, product, assistance, etc.) and changes to a contract;
- Information about customer satisfaction that we may collect, for example, through surveys.
We generally collect this data from you, and/or from contractual partners and from third parties involved in the performance of the contract, and from public sources, as may be applicable.
Payment information – We may collect, for example, your bank details, account number and credit card data.
Other data – We may also collect data from you in other situations, depending on specific circumstances. For example, data that may relate to you, such as files and evidence that may be processed in relation to administrative or judicial proceedings. We may also collect data for health protection, for example as part of health protection concepts implemented at our premises in the context of a pandemic. We may obtain or create photos, videos, and sound recordings in which you may be identifiable, for example during virtual meetings, at events, or with security cameras. We may also collect data about who enters certain buildings, and when or who has access rights, including in relation to access controls, based on registration data or lists of visitors, who participates in events or campaigns and who uses our infrastructure and systems and when.
We may collect other types of personal data if required under applicable law or if necessary, for the purposes listed below.
4. Purposes and legal bases for processing
We may collect and process your personal data for the purposes and on the legal bases identified in the following:
a. Communication purposes
We process your data for purposes related to communication with you, based on our legitimate interest in particular in relation to contractually agreed services, responding to inquiries and the exercise of your rights (Section 9) and to enable us to contact you in case of any other types of queries. We keep your data to document our communication with you, for training purposes, for quality assurance and for follow-up inquiries.
b. Initiation and performance of contractual relationship
We process data for the implementation of pre-contractual measures (such as preforming internal pre-contractual compliance checks, creating contracts, etc.) as well as the conclusion, administration, billing/payment, and performance of contractual relationships. Where we do not ask for consent for processing, the processing of your personal data relies on the requirement of the processing for initiating or performing a contract with you (or the entity you represent) or on our or a third-party legitimate interest in the particular processing, in particular in pursuing the purposes set out in this Section 4 and in implementing related measures. Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognized as a legal basis by applicable data protection law.
c. Use of Avaloq SaaS and BPaaS products and offerings
If your employer is a customer of Avaloq’s SaaS and/or BPaaS products and offerings, we process your personal data to initiate and/or execute the contract and/or perform services in connection with products and offerings which your employer purchased from Avaloq. The processing of your personal data is carried out based on our legitimate interest for the performance of the contract insofar as Avaloq renders services for your employer. This includes processing for the purpose of security.
d. Use of Avaloq tools
If your employer manages identifiers for Avaloq tools, we process your personal data to enable the usage of the Avaloq tools, and this data is propagated through various systems in order to provide or revoke access to your users to various tools, to improve your interactions in daily business with us, and to improve the performance of your business.
e. Procurement and use of services
If your employer is a service provider of Avaloq, we process your personal data (particularly your contact data, i.e., name, address, telephone number and e-mail address) to initiate or execute the contract or perform services which Avaloq purchases from your employer. The processing of your contact data is carried out based on our legitimate interest for the performance of a contract insofar as your employer renders services for us.
f. Filing, documentation and archiving
Avaloq is required by law and regulations to keep proper files and records and comprehensive documentation of its commercial transactions and services. These files and documentation must also be kept and stored after completion of specific service for the stipulated statutory retention periods under applicable laws and regulations. Avaloq is also subject to other statutory documentation and retention obligations in connection with tax law, accounting, commercial or corporate law requirements for companies. The documentation, work products and associated client correspondence to be documented also contain personal data and as such are also part of file management and archiving. The processing is carried out on the basis of Avaloq’s statutory obligations under applicable laws such as for example tax law, commercial and corporate law.
g. Relationship management and marketing
Avaloq also uses your contact data, (particularly name, address, e-mail address) to obtain customer feedback or to send you information about other Avaloq offers or events. Such processing is carried out based on a legitimate interest of Avaloq. Avaloq has a legitimate economic interest in informing customers and clients about additional offers and events in order to cultivate and maintain long-term customer relationships. You can object to such contacts at any time or refuse or withdraw consent to be contacted for marketing purposes at any time with effect for the future by sending an e-mail to us (see our contact details in Section 10). Once we have received notification of withdrawal of consent, we will no longer process your information for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal.
h. Managing business contacts
If Avaloq obtains your contact data during a business event sponsored by Avaloq or others, or a business meeting (e.g., when business cards are exchanged) or in the context of a project, we use that contact data (particularly name, address, e-mail address) to also manage our business contacts, and to do this we transfer your contact data into our CRM (Customer Relationship Management) system. Such processing is carried out based on a legitimate interest of Avaloq. Avaloq has a legitimate economic interest in cultivating business contacts beyond the initial contact and using them to build a customer relationship and to stay in touch with its business contacts. This also includes the marketing of our products and services, the interest in better understanding our markets and in managing and further developing our company, including its operations, safely and efficiently.
With your consent, we can target our online advertising on the internet more specifically to you. Where we ask for your consent for certain processing activities (for example for marketing mailings, for advertising management and behavior analysis on the website), we will inform you separately about the relevant processing purposes (e.g., in our Website Privacy Statement). You may withdraw your consent at any time with effect for the future by sending an e-mail to us (see our contact details in Section 10). For withdrawing consent for online tracking, see our Website Privacy Statement. Once we have received notification of withdrawal of consent, we will no longer process your information for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal.
i. Security
If you are using Avaloq systems or visiting Avaloq premises, we may use your personal data for security purposes based on our legitimate interest to ensure the security of our systems and premises.
j. Complying with legal obligations
We may process your personal data when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of personal data to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our online platform, responding to or filing contractual claims, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, respond to lawful requests, or for auditing purposes. We may also process your personal data in the event you file a data subject request with us for the purpose of processing and responding to such request.
We may process your data on other legal basis, for example, in the event of a dispute, as required in relation to a potential litigation or for the enforcement or defense of legal claims. In some cases, other legal basis may apply, which we will communicate to you separately as necessary.
5. How we may share personal Data
We may share the personal data we collect and receive on a need-to-know basis with the following parties:
- Other affiliates of the Avaloq group (see here list of Avaloq group companies and locations), NEC (see here list of NEC group companies and locations) or their agents;
- Third-party providers that perform services for us;
- Our partners, only applicable if you request specific information on certain services where a respective partner is involved and/or you request such services;
- Competent public authorities or other third parties (if required by law or reasonably necessary to protect the rights, property and safety of ourselves or others).
We may also transfer your personal data in the event that we sell or transfer all or a portion of our business or assets on a need-to-know basis. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use personal data you have provided to us in a manner that is consistent with applicable law and this privacy notice.
We do not sell, rent, or trade your personal data.
6. Data transfers outside the EEA
We may transfer the personal data we collected to third parties in countries outside of Switzerland and the European Economic Area (EEA) or outside of the country where the data was initially collected. The laws in those countries may not offer an adequate level of data protection. Personal data may be transferred to Singapore, the Philippines, India, Japan, and the United States among others.
When we transfer your personal data outside of Switzerland, the EEA or outside of the country where the data was initially collected, we will protect your personal data as described in this privacy notice and in accordance with applicable laws, such as by entering into the European Commission’s Standard Contractual Clauses for the transfer of personal data to a processor located outside of Switzerland or the EEA.
7. How we protect your personal data
We maintain appropriate organizational, physical and technical security measures designed to protect your personal data against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. In order to protect your data we have – among others – implemented physical access control measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used. We implemented technical and organisational measures designed to prevent data processing systems from being used by unauthorized persons and measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use and after storage. When feasible we pseudonymize personal data, which means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organisational measures. To secure transfer control we took different measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment, e. g. use of VPN, logging of accesses and retrievals and provision of encrypted connections. Additionally, we ensure that personal data is protected against accidental destruction or loss (e. g. fire protection, data backups, secure storage of data media, virus protection, raid systems, disk mirroring, etc.) and that our systems are capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident. However, due to the inherent open nature of the Internet, we cannot guarantee that communications between you and us or the personal information stored are absolutely secure. We will notify you of any data breach that is likely to have unfavourable consequences for your privacy in accordance with applicable law.
8. How long we retain your personal data
We retain personal data for as long as necessary to fulfil the purposes for which we collect or receive the personal data, except if required otherwise by applicable law, rules and regulations. Records retention details are established in Avaloq’s internal policies.
After expiry of the applicable retention periods, all personal data will be destroyed, anonymized or deleted using secure technology. This technology depends on the application and storage media used. Expired records are identified based on their creation or last modification date, the current date and the retention period. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data.
9. Your rights
You have the following rights in relation to your personal data:
- The right to obtain, at reasonable intervals and free of charge, information on whether your personal data are being processed and to receive the personal data that is being processed in an intelligible form;
- The right to have your personal data rectified, blocked or deleted if your personal data are incorrect, incomplete, inaccurate, irrelevant, outdated or processed unlawfully;
- The right to withdraw your consent at any time;
- The right to transfer your personal data to another controller, to the extent possible;
- The right to object on legitimate grounds to the processing of your personal data.
- The right to data portability;
- The right to file a complaint and
- The right to damages or indemnification.
To exercise these rights, please contact us using our contact details set out below. We may request you to provide a copy of your ID card or otherwise evidence of your identity. We will respond to your request within the applicable statutory term.
10. How to contact us
If you have any comments or inquiries about the information in this privacy notice, if you would like us to update your personal data, or if you want to exercise your rights, please contact our Data Protection Officer by email at dataprotection@avaloq.com.